Darkhotel APT steals IP from travelling executives

In a new report released earlier today, Kaspersky Lab revealed how it has spent four years tracking an advanced persistent threat (APT) which stealthily targets C-level executives in order to steal intellectual property and other sensitive business data.

The threat actor does this by waiting for the user to first connect to the hotel's Wi-Fi network, at which point it tricks them into downloading a backdoor masquerading as legitimate software – Google Toolbar, Adobe Flash or Windows Messenger.

Having downloaded the malicious software, the executive's device can be infected with an assortment of advanced stealing tools, such as a digitally-signed keylogger, the ‘Karba' Trojan and an information-stealing module. These will hunt for cached passwords on Firefox, Chrome and Internet Explorer and log-in credentials for Gmail Notifier, Twitter, Facebook, Yahoo and Google. The threat actor can also use the tools to steal keystrokes entered on the device.

Kaspersky Lab's global research and analysis team – which carried out the research – said that the overall aim for the cyber-espionage campaign was to look for intellectual property stored on these devices.

The firm says however that attackers are incredibly careful and stealthy in how they go about this; the ‘elite hacking crew' never go after the same target twice, get all the data they can from first contact and delete all traces of their work by removing their tools from the hotel network.

The Korean-speaking threat actor performs operations ‘with surgical precision' and was also able to compromise Wi-Fi networks that were thought to be private and secure, according to the endpoint security firm. The company later described Darkhotel as “unusually murky, long-standing and well-resourced threat actor exhibiting a strange combination of characteristics.”

The most recent travelling targets included executives from the US and Asia doing business and investing in the APAC region, such as CEOs, senior vice presidents, sales and marketing directors.

“For the past few years, a strong actor named Darkhotel has performed a number of successful attacks against high-profile individuals, employing methods and techniques that go well beyond typical cyber-criminal behaviour,” he said in a statement.

“This threat actor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision.”

However, Darkhotel malicious activity can be inconsistent: it is indiscriminate in its spread of malware alongside its highly targeted attacks. (Kaspersky has more detail on the specific malware delivery vectors here)

“The mix of both targeted and indiscriminate attacks is becoming more and more common in the APT scene, where targeted attacks are used to compromise high-profile victims, and botnet-style operations are used for mass surveillance or performing other tasks such as DDoSing hostile parties or simply upgrading interesting victims to more sophisticated espionage tools” added Baumgartner.

Speaking to SCMagazineUK.com on Monday, Bloor Research analyst Fran Howarth chose to focus on the errors made on the user's side, rather than how advanced this particular threat might be.

“This seems like a basic awareness problem. Anyone should be wary of unexpected behaviour or requests over an insecure network,” she said.

“But, the fact that it is being used in countries such as China and Russia, which are known to harbour many computer criminals, is hardly a surprise. Executives travelling to such areas should be especially wary of insecure networks and should consider taking a separate, stripped-down device to that that they normally use in order to limit the damage in terms of the data that they contain.”

Kaspersky recommends that travelling businessmen should always view hotel networks as potentially dangerous, and so should choose a VPN provider to get encrypted communications channel when accessing public or semi-public Wi-Fi.

The firm also advises uses to view software updates with suspicion when travelling and to ensure that they have more than just basic anti-virus protection on their computers.

Kaspersky Lab says that the threat actor is still active and so it is working with enterprises to protect themselves. The firm's own products detect and neutralise the malicious programs and their variants used by the Darkhotel toolkit.

SC Media UK arms cyber-security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.